@artur12089 wrote a post on how was able to dominate the stage of extraction to the hard fork 13.
In the post @artur12089 described:
... quickly (within a millisecond) calculate the corresponding private key necessary to make the new PoW valid according to the mining algorithm ... With the appropriate active private key d computed, the attacker can then change their account's active public key to the one corresponding to the private key ...
But there is a hole in the description, because the private key of a given signature shouldn't be so quickly to be resolved -- it's the nature of ECC algo.Actually, with the old algorithm, to submit a PoW, an attacker doesn't need to know the private key.When an attacker got an input with latest head_block_id and whatever nounce in step 3), and if she already have a known will-work sig in step 4), she can simply recover the public key (which is needed to put into the PoW operation) with the same method used in step 6). In addition, because a transaction contains only a PoW operation requires no signature (which is another hole in the old algo which got fixed in new algo), the PoW will be accepted by other nodes.